Bug#926969: libapt-pkg: SetSignedBy can attempt to access index -1 in an array

Fri, 12 Apr 2019 15:12:45 -0700 

Package: libapt-pkg5.0
Version: 1.4.9
Severity: normal
Tags: patch

Dear Maintainer,

In troubleshooting of another problem I found an invalid memory access testing 
with ASAN.  Attached is a patch to ensure this does not happen.


-- System Information:
Debian Release: 9.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libapt-pkg5.0 depends on:
ii  libbz2-1.0  1.0.6-8.1
ii  libc6       2.24-11+deb9u3
ii  libgcc1     1:6.3.0-18+deb9u1
ii  liblz4-1    0.0~r131-2+b1
ii  liblzma5    5.2.2-1.2+b1
ii  libstdc++6  6.3.0-18+deb9u1
ii  zlib1g      1:1.2.8.dfsg-5

Versions of packages libapt-pkg5.0 recommends:
ii  apt  1.4.9

libapt-pkg5.0 suggests no packages.

-- no debconf information

commit 706e8fe6cb93323e6b03c662aaced03a36db3574
Author: Sam Bingner <s...@bingner.com>
Date:   Thu Apr 11 13:31:14 2019 -1000

    Don't access invalid string indexes

diff --git a/apt-pkg/deb/debmetaindex.cc b/apt-pkg/deb/debmetaindex.cc
index f25906fba..610965024 100644
--- a/apt-pkg/deb/debmetaindex.cc
+++ b/apt-pkg/deb/debmetaindex.cc
@@ -682,13 +682,13 @@ bool debReleaseIndex::SetSignedBy(std::string const 
&pSignedBy)
         SignedBy = os.str();
       }
       // Normalize the string: Remove trailing commas
-      while (SignedBy[SignedBy.size() - 1] == ',')
+      while (SignedBy.size() > 0 && SignedBy[SignedBy.size() - 1] == ',')
         SignedBy.resize(SignedBy.size() - 1);
    }
    else {
       // Only compare normalized strings
       auto pSignedByView = APT::StringView(pSignedBy);
-      while (pSignedByView[pSignedByView.size() - 1] == ',')
+      while (pSignedByView.size() > 0 && pSignedByView[pSignedByView.size() - 
1] == ',')
         pSignedByView = pSignedByView.substr(0, pSignedByView.size() - 1);
       if (pSignedByView != SignedBy)
         return _error->Error(_("Conflicting values set for option %s regarding 
source %s %s: %s != %s"), "Signed-By", URI.c_str(), Dist.c_str(), 
SignedBy.c_str(), pSignedByView.to_string().c_str());

Reply via email to